After completing this reading, you should be able to:
- Explain how risks can arise through outsourcing activities to third-party service providers and describe elements of an effective program to manage outsourcing risk.
- Explain how financial institutions should perform due diligence on third-party service providers.
- Describe topics and provisions that should be addressed in a contract with a third-party service provider.
What is Outsourcing?
Outsourcing is the practice where an institution hires a third party to perform services and/or create goods that would otherwise be performed in-house by the institution’s own employees and staff.
Some of the operations commonly outsourced include:
- Printing and mailing.
- Data and network services.
- Recruitment of employees.
- Digital marketing and management of an institution’s social space.
- Security operations.
Some of the reasons include the need to:
- Cut labor, overhead, and equipment costs.
- Dial down and channel all in-house resources toward the core aspects of the business, spinning off operations not considered critical to outside organizations.
- Handle increased demand for services during peak business periods (scalability).
- Take advantage of third-party expertise.
On the downside, the use of service providers to perform operational functions comes with a range of risks. Some of these risks are inherent to the outsourced activity itself, but others come up due to the involvement of a service provider. The use of service providers may expose financial institutions to risks that can result in regulatory action, financial loss, litigation, and loss of reputation. As such, it is imperative that all outsourced services are closely managed and monitored.
Risks Considered before Entering and while Managing Outsourcing Arrangements
Compliance risks: Arise when a service provider’s products or activities fail to comply with applicable U.S. laws and regulations.
Concentration risks: Arise when the outsourced service or product is provided by a limited number of service providers or is concentrated in limited geographic locations.
Reputational risks: Arise when a service provider conducts themselves in a manner that causes the public to form a negative opinion about a financial institution.
Country risks: Engaging a service provider based in a foreign country exposes an institution to possible economic, social, and political conditions and events in the country where the provider is located.
Operational risks: A service provider may expose an institution to losses due to inadequate internal processes, failed systems or external events, and human error.
Legal risks: Arise when a service provider exposes a financial institution to legal expenses and possible lawsuits.
In 2019, the UK’s Raphaels Bank was fined £1.89 million for outsourcing failures that rendered customer accounts inaccessible over an eight-hour period on 24 Dec 2015, making 3,367 customers unable to use their prepaid cards and charge cards.
The incident happened after Raphael’s’ card processor was hit by a technology hitch.
The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) accused the bank of “failing to have adequate processes to enable it to understand and assess the business continuity and disaster recovery arrangements of its outsourced service providers – particularly, how they would support the continued operation of its card programs during a disruptive event.”
Royal Bank of Scotland
A similar incident happened in 2012 at the Royal Bank of Scotland. Unbeknown to the public, the bank had outsourced its system software from an IT vendor. The vendor failed to follow through on a planned system update in a timely manner. This left millions of clients without access to their money. The bank itself was helpless because it had not put in place a business continuity plan in its outsourcing agreement with the vendor.
It is due to such an incident that the Federal Reserve Board issued guidelines on managing outsourcing risk. The guidelines require all banks that outsource services to have a risk management program.
Elements of an Effective Program to Manage Outsourcing Risk
Any financial institution engaged in outsourcing should have a risk management program that is risk-focused and which provides oversight and controls that are commensurate with the level of risk presented by the outsourcing arrangement. Special attention should be given to activities that may have a substantial impact on the institution’s financial muscle and those that pose material compliance risk. The complexity of risk management depends on the number (and types) of the outsourced activities.
An effective service provider risk management program is built around six core elements:
- Risk assessments.
- Due diligence and selection of service providers.
- Contract provisions and considerations.
- Incentive compensation review.
- Oversight and monitoring of service providers.
- Business continuity and contingency plans.
- Risk Assessments: Before deciding on whether or not to outsource a business activity, it is important to carry out a risk assessment of the activity. While at it, a financial institution should consider the following:
- Implications of performing the activity in-house or having it performed by a third party.
- Whether outsourcing is consistent with the organization’s strategic direction and business strategy.
- Cost implications for establishing an outsourcing arrangement.
- Availability of qualified and experienced service providers.
- Institution’s ability to provide appropriate oversight and management of the relationship.
Risk assessment should be a regular activity consistent with a financial institution’s service provider risk management program. Following every round of assessment, an institution should scale up (or scale down) its risk mitigation plans, if appropriate.
- Due diligence and selection of service providers: Prior to engaging a service provider, it is important to exercise due diligence and perform an objective evaluation of the provider. The extent of the evaluation varies depending on the scope, complexity, and strategic importance of the planned outsourcing arrangement. The financial institution should involve technical experts and key stakeholders in the due diligence process.
The due diligence process has three key cogs:
- Business background, reputation, and strategy.
- Financial performance and condition.
- Operations and internal controls.
We shall look into each of these shortly.
- Contract Provisions and Considerations:
- Financial institutions should explore the service contract and all legal issues related to proposed outsourcing arrangements.
- It is important to involve the institution’s legal counsel before any agreements have been signed.
- Incentive Compensation Review:
- Financial institutions should ensure that there’s an effective process to review and approve any incentive compensation that may be embedded in service provider contracts.
- Oversight and Monitoring of Service Providers:
- In order to monitor contractual requirements effectively, financial institutions should establish acceptable performance metrics that are indicative of acceptable performance levels.
- Business Continuity and Contingency Considerations:
- A host of issues can affect a service provider’s ability to offer services.
- A financial institution should ensure that there are contingency and business continuity plans.
- It is imperative that a financial institution itself “knows the drill’ so as to be able to cope with an untimely incident.
Due Diligence on Third-party Service Providers
As hinted earlier on, the due diligence process is built around three key elements:
- Business Background, Reputation, and Strategy
As a first step, the financial institution should seek answers to each of the following questions:
- What’s the prospective service provider’s status in the industry?
- What are their corporate history and qualifications?
- What’s the provider’s background and reputation in the industry they operate in?
- Does the provider have an appropriate background check (vetting) program for its employees?
The institution should proceed to engage the provider if and only if it obtains satisfactory answers to these questions.
Ideally, the service provider should be experienced and well-qualified to deliver the service. It is also important to scrutinize the service provider’s business model, including its business strategy and mission, service philosophy, quality initiatives, and organizational policies. The provider’s business model should be resilient and adaptable to a range of potential business directions of the financial institution.
It is also important to:
- Reach out to the service provider’s references to ascertain its performance record.
- Verify any required licenses and certifications.
- Verify whether there are ongoing legal matters involving the service provider or its principles.
- Financial Performance and Condition
It’s imperative to scrutinize the financial condition of the service provider and its closely-related affiliates. The financial review may include the following:
- Recent financial statements and annual reports.
- Sustainability, by looking at the length of time that the service provider has been in business and the proportion of the market that they control.
- How the proposed business relationship will impact the service provider’s financial condition.
- Level of commitment in terms of financial and staff resources.
- The service provider’s insurance status.
- The adequacy of the service provider’s review of the financial condition of any subcontractors.
- The provider’s other current issues that may materially affect future financial performance and/or existence.
- Operations and Internal Controls
- It is the responsibility of the financial institution to ensure that services provided by service providers comply with applicable laws. Such services should also be consistent with safe-and-sound banking practices.
- The following may need to be reviewed:
- Privacy protection of the financial institution’s confidential information.
- Maintenance and retention of records.
- Business resumption and contingency planning.
- Internal controls.
- Facilities management.
- Training, including compliance training for staff.
- Employee background checks.
- Adherence to applicable laws, regulations, and supervisory guidance.
- Security of systems (with regard to data, equipment, and property)
- Systems development and maintenance.
- Service support and delivery.
- Contract Provisions and Considerations
- Financial institutions should explore the service contract and all legal issues associated related to proposed outsourcing arrangements.
- It is important to involve the institution’s legal counsel before any agreements have been signed.
- The terms of the deal should be put down in writing in a clear, unambiguous manner.
Elements of Well-defined Contracts
- The rights and responsibilities of each party should be clearly spelled out. That includes issues such as:
- Compliance with applicable laws, regulations, and regulatory guidance.
- Terms governing the use of the institution’s property, equipment, and staff.
- Support, maintenance, and customer service.
- Training of financial institution employees.
- The ability to subcontract services.
- Contract timeframes.
Cost and Compensation
- All fees and charges to be paid should be specified.
- The contract should specify the party responsible for the settlement of various costs that may emanate from the contractual arrangement, including legal, audit, and supervisory examination costs.
- The contract should also specify the party that’s responsible for the purchase and maintenance of equipment, hardware, software, and other utilities.
- The financial institution should ensure that the compensation structure does not encourage risky behavior on the part of the service provider.
Right to Audit
- The agreement may give the financial institution the right to audit the service provider or give the institution (or its proxies) access to the provider’s financial statements.
Establishment and Monitoring of Performance Standards
The agreement should specify measurable performance standards for the service or product.
Confidentiality and Security of Information
- The contract must contain extensive provisions that address the confidentiality and security of information pertaining to both parties.
- In order to keep crucial information confidential, the contract may specify the type of information that the service provider can access.
- In particular, contracts have to conform to FFIEC guidance, section 501(b) of the Gramm-Leach-Bliley Act which seeks to protect customer information.
- The contract should also require the service provider to disclose any data breaches in a timely manner.
Ownership and License
- The contract should specify instances when the service provider is allowed to use the financial institution’s property.
- In addition, there should be clarity on the ownership of data produced by the service provider.
- If there’s any purchase of software from service providers, the financial institution should ensure that there are escrow agreements that give it the ability to access the source code and programs under certain conditions.
- Agreements should be set out in a way that allows the financial institutions to seek indemnification from the service provider if the latter’s negligence leads to claims against the institution.
Default and Termination
- Events that constitute default should be clearly spelled out, including a list of acceptable remedies aimed at restoring the acceptable level of service.
- The contract should set out dispute resolution and escalation mechanisms to ensure that any issues that come up are handled in a timely manner.
- The financial institution should seek proof of insurance and seek notification whenever there’s a change in the provider’s insurance coverage.
- Agreements should give details regarding the responsibilities of both parties in case there’s a customer complaint.
- If the service provider is required to respond to a customer complaint, it should file a report with the financial institution about the incident.
Business Resumption and Contingency Plan of the Service Provider
- Agreements should address the steps that should be taken by the service provider to restore services in the event of an interruption occasioned by operational failures.
- The financial institution should require the service provider to back up data and maintain disaster recovery and contingency plans.
Foreign-based Service Providers
- A contract should attempt to specify the law that should be applied in dispute resolution when the service provider is based in a foreign country.
- If the agreement allows for subcontracting, the subcontractor should be subject to the same contractual provisions as the service provider
Which of the following tasks is NOT necessarily executed by the financial institution in the course of preparing contingency plans?
A. Ensuring that there is the existence of a disaster recovery and business continuity plan, regarding the services and products contracted.
B. The service provider’s disaster recovery and business continuity plan should be assessed by the financial institution to ensure they align with that of their own.
C. The business continuity and contingency plan of the service provider should be tested on a periodic basis by the financial institution to ensure they are adequate and effective.
D. The financial institution should ensure that the foreign-based service providers are complying with their country’s regulations and regulatory guidance.
The correct answer is D.
Ensuring compliance to the rules and regulations and regulatory guidance in the country which the financial institution is located, despite being important and done by the financial institution, is not necessarily a task related to preparing contingency plans.